High severityNVD Advisory· Published Mar 8, 2024· Updated Aug 5, 2024

Wasmi Out-of-bounds Write for host to Wasm calls with more than 128 Parameters

CVE-2024-28123

Description

Wasmi interpreter before 0.31.1 has an out-of-bounds buffer write when the host calls a Wasm function with more than 128 parameters.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Wasmi interpreter before 0.31.1 has an out-of-bounds buffer write when the host calls a Wasm function with more than 128 parameters.

Vulnerability

Overview

CVE-2024-28123 is an out-of-bounds (OOB) buffer write vulnerability in the Wasmi WebAssembly interpreter, which is designed for efficient execution on constrained and embedded systems [1]. The flaw occurs specifically when the host (external caller) calls or resumes a Wasm function with more parameters than the default limit of 128 [3]. Because the interpreter's stack cannot handle this many parameters, it surpasses the stack value, leading to an out-of-bounds write [4]. Importantly, this vulnerability does not affect calls from Wasm to Wasm; only calls originating from the host side trigger the bug [1].

Exploitation and

Attack Surface

Exploitation requires an attacker to either directly control a host-to-Wasm function call with an excessive number of parameters (more than 128) or to influence a host application that accepts such calls from external users [3]. While functions with such a high parameter count are rare, the attack vector is serious when present [3]. Studies of dependent systems, such as Pallet Contracts, Parity Signer, and Smoldot, confirm that none are affected because they always limit host-to-Wasm calls to a small number of parameters [4].

Impact

If successfully exploited, an attacker can cause an out-of-bounds buffer write, potentially leading to memory corruption or undefined behavior in the interpreter [1]. The impact is limited to the security context of the host application embedding Wasmi, but given the interpreter's use in safety-critical environments, the OOB write could be leveraged for further compromise [4].

Mitigation

The vulnerability was patched in Wasmi version 0.31.1, released on 2023-12-01 [3]. Users running versions 0.15.0 through 0.31.0 should update immediately [4]. As a workaround, ensure that no host-to-Wasm function call passes more than 128 parameters [4]. The bug was responsibly disclosed to the Wasmi team by the Stellar Development Foundation [4].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
wasmicrates.io	>= 0.15.0, < 0.31.1	0.31.1

Affected products

ghsa-coords
pkg:cargo/wasmi
Range: >= 0.15.0, < 0.31.1
wasmi-labs/wasmiv5
Range: >= 0.15.0, <= 0.31.0

Patches

f7b3200e9f3d

fix bug in wasmi executor

https://github.com/wasmi-labs/wasmiRobin FreylerDec 1, 2023via ghsa

commit

1 file changed · +6 −2

crates/wasmi/src/engine/mod.rs+6 −2 modified

@@ -647,7 +647,9 @@ impl<'engine> EngineExecutor<'engine> {
         Results: CallResults,
     {
         self.stack.reset();
-        self.stack.values.extend(params.call_params());
+        let call_params = params.call_params();
+        self.stack.values.reserve(call_params.len())?;
+        self.stack.values.extend(call_params);
         match ctx.as_context().store.inner.resolve_func(func) {
             FuncEntity::Wasm(wasm_func) => {
                 self.stack
@@ -689,7 +691,9 @@ impl<'engine> EngineExecutor<'engine> {
         self.stack
             .values
             .drop(host_func.ty(ctx.as_context()).params().len());
-        self.stack.values.extend(params.call_params());
+        let call_params = params.call_params();
+        self.stack.values.reserve(call_params.len())?;
+        self.stack.values.extend(call_params);
         assert!(
             self.stack.frames.peek().is_some(),
             "a frame must be on the call stack upon resumption"

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-75jp-vq8x-h4cqghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-28123ghsaADVISORY
github.com/wasmi-labs/wasmi/commit/f7b3200e9f3dc9e2cbca966cb255c228453c792fghsax_refsource_MISCWEB
github.com/wasmi-labs/wasmi/releases/tag/v0.31.1ghsax_refsource_MISCWEB
github.com/wasmi-labs/wasmi/security/advisories/GHSA-75jp-vq8x-h4cqghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000